Customers roast Microsoft over security bulletins' demise

When Microsoft asked customers last week for feedback on the portal that just replaced the decades-long practice of delivering detailed security bulletins, it got an earful from unhappy users.

"Hate hate hate the new security bulletin format. HATE," emphasised Janelle 322 in a support forum where Microsoft urged customers to post thoughts on the change.

"I now have to manually transcribe this information to my spreadsheet to disseminate to my customers. You have just added 8 hours to my workload. Thanks for nothing."

Janelle 322 and others left scathing comments on the support forum Microsoft touted Friday as the place to post comments and questions about the Security Update Guide (SUG), the online portal which took the place of familiar bulletins.

Microsoft announced the demise of bulletins in November 2016, saying then that the new process would debut Feb. 14.

Those web-published bulletins had been a cornerstone of Microsoft's patch disclosure policies since at least 1998.

The bulletins' thoroughness and transparency were long praised by security professionals, who considered them the benchmark against which all other vendors' efforts were compared.

After a two-month delay, Microsoft dropped bulletins with the April 11 collection of security fixes. A day later, one patch expert said the switch from bulletins to SUG had expanded his workload by about six times.

Customers echoed the added-work theme in comments on the support thread.

"I typically spend 2-3 hours to read through and determine what updates need to go to our systems, document, etc. I spent a solid 8 hours trying to make sense of everything today and get it organised, and I'm not close to being finished," reported Jim24Mac.

"What I had to go through today was an abomination. I download[ed] the spreadsheet with 670 lines of exploit info that I'm supposed to somehow find useful to determine what I need and why. It's terrible."

Other critics got more specific.

"While calling out the security issue via CVEs [Common Vulnerabilities & Exposures] is valid, for the system admin/patcher the new format doesn't relate well at all to what we see to approve and patch," wrote Susan Bradley, a noted Windows patch expert who writes for the Windows Secrets newsletter.

"While it's appreciated to have a searchable database in the Security Update Guide, it is too cumbersome to use to quickly get the information needed on Update Tuesday. To get the same information took way too many steps and required collaboration with other sources to confirm information.

"Bottom line we have a communication problem," Bradley continued. "You are talking CVEs [but] we're still needing something that showcases what we see needing to be installed on our PCs.

"If there is any way to better filter down the information and make it better trackable to what we see installed, that would be grand."

"The change did nothing to make our lives easier and made it much more difficult to determine our internal severity based on the attack methods," added J_DDS on the same thread. "I'm all for a searchable database but don't trash the system that worked perfectly in the past."

Microsoft's stock response in the support threads was penned by Chris Wojahn, a senior escalation engineer in the support group.

"We understand the concern about the changes made to ... the Security Update Guide replacing the numerous KBs [knowledge base documents] of the past," Wojahn wrote. "The change is to align with the move from individual updates to the cumulative update process."

Wojahn's explanation for the change was contrary to what Microsoft last year claimed had prompted the decision.

"Our customers have asked for better access to update information, as well as easier ways to customise their view to serve a diverse set of needs," the Microsoft Security Response Center stated in November when it announced the latest switch.

Microsoft never linked the death of bulletins to its earlier decision to eliminate individual patches and in their stead, provide only cumulative security updates for all versions of Windows. Instead, its vague rationale only mystified customers.

"They were all scratching their heads, wondering why Microsoft made it harder to find stuff," said Chris Goettl, product manager with patch management vendor Ivanti, of users who attended an April 12 webinar on the month's patches.

The lack of communication was something another critic focused on in comments to the support forum.

"Honestly I know you've communicated random fragments of this ... change across random Microsoft blogs, but Microsoft should have done a better job in making it a bit clearer," said chicaneUK. "I don't understand how this is an improvement of the process, nor how it is saving us time or making things easier."

Distributor Directory

Vendor Directory

Featured

Slideshows

A snapshot of the Kiwi partners set to shine at the Reseller News Awards

With the 2017 Reseller News ICT Industry Awards only weeks away, Reseller News profiles the power line-up of partners set to dominate the biggest night on the channel calendar. ​Ranging from the enterprise, down through the mid-market and small business sectors into the heart of the start-up scene, the end result is the most diverse and wide-ranging partner line-up in the history of the Awards, playing host to the leading innovators of the past 12 months.​

Copyright 2017 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.